In the Incident Response Process, containment is the step where the identified threat is controlled to prevent any further damage to the system and organization, while maintaining the integrity of the collected incident data. The primary goal of containment is to limit the attack’s scope and prevent any further compromises.
Short-term and Long-term Containment
There are two main types of containment measures that need to be applied depending on the nature of the incident: short-term and long-term containment.
These measures are focused on stopping the immediate threat by disconnecting affected systems, blocking harmful IP addresses, or temporarily disabling the vulnerable service. However, these steps might result in the loss of valuable incident data, so it is essential to balance these actions against preserving evidence necessary for further investigation.
Long-term containment focuses on implementing more sustainable solutions to address the root cause of the incident, such as updating security patches, configuring firewalls, and implementing access control measures. These actions are taken to prevent reoccurrence and must be performed in parallel with the recovery phase to ensure a comprehensive Incident Response Process.
Key Steps in Containment
The following are some key steps that you should follow during the containment phase:
- Isolate - Segregate the affected systems from the rest of the network to stop the spread of the threat.
- Preserve Evidence - Securely capture relevant logs and data for future analysis and investigation.
- Implement Temporary Measures - Take immediate actions to block the attacker and secure the environment while minimizing disruption.
- Update Containment Strategy - Integrate lessons learned from previous incidents and external resources to continuously improve your containment process.
By properly executing the containment phase of the Incident Response Process, you will be well-prepared to eradicate the root cause of the cyber security threat and recover your affected systems with minimal damage to your organization.